Aricent Firewall provides network security solutions to corporate networks using Access Filters. Aricent Firewall is based on a packet filtering mechanism, which can be deployed as a Screening Router between the private and public networks/Internets. Aricent Firewall enables the network administrator /user, to configure an extensive set of rules to enforce the security policy.

Figure 1. Deployment Scenario of Aricent Firewall

In Figure 1, the Screening router separates the Private network from the Internet. This Screening router is responsible for the Site’s security (i.e. Private network).

The two standard firewall architectures in which Aricent Firewall can be used as a Screening Router are:

• Screened Host Architecture.
• Screened Subnet Architecture.

Screened Host Architecture:

A Screened Host Architecture provides services from a host that is attached to the internal network, using a Screening Router.

Screened Subnet Architecture:

In the Screened Subnet Architecture, there are two screening routers, each connected to the perimeter network (DMZ region) - One between the perimeter network and the internal network, and the other between the perimeter network and the external network (usually Internet).

The basic building blocks of Aricent Firewall are

• Static Filtering
• Adaptive Filtering
• Service Independent Filtering

Static Filtering:

The Access List based Static filtering, filters the packets using statically configured filters based on the following fields:

• Range of Source and Destination addresses
• Protocol Type (e.g. TCP, UDP, ICMP, IGMP, RSVP, OSPF, IGP, EGP, NVP)
• Source and Destination Port numbers
• TOS (Type of Service) field
• IP Options
• IP Fragmentation
• ICMP type and code
• Ack and Rst bit of TCP

Adaptive Filtering:

Aricent Firewall provides adaptive filtering based on temporary filters written on-the-fly by learning the traffic information. This allows access through the network when required and only as long as it is required.

Service Independent Filtering:

Aricent Firewall provides service independent filtering against potential attacks, such as IP Address Spoofing, Source Routing and Tiny fragment, from an external (Internet) network.

Aricent Firewall Implementation Features:

• A master control switch is provided to enable or disable filtering. By default, the switch is disabled.
• Switches are provided to enable/disable the following features:
  - Adaptive filtering
  - IP Address Spoofing
  - Source routing attack
  - Tiny fragment attack
  - TCP SYN flooding.
• Statistics are maintained globally and on a per circuit basis.
• Support for packet filtering in the Fast forwarding path.
• Supports logical operations on the configured filters.
• Provides authentication based on simple username/password through a preliminary Telnet session.
• Provides extensive logging mechanism, which can be enabled/disabled on-the-fly.
• Provides SNMP support.
• Supports filtering on fragments (both short and large).
• Filters the packets on IN/OUT basis of a particular interface.
• Generation of ICMP error messages, is a configurable option.
• Conforms to Aricent Architecture for Portability Release 2.1.0.0 (FSAP2) and higher, thus ensuring a highly portable code which uses flexible buffer and timer management libraries.
• Seamless integration with Aricent IP/RIP , Aricent QoS, Aricent NAT, ICMP Module of Aricent IP/RIP, and Aricent SNMP.

Aricent Firewall can easily be ported across various operating systems and processor architectures since it makes very little assumptions on these.

Other Offerings ------------------------------------------- Protocol Stacks ------------------------------------------- .... IPV4 ---- IP ---- TCP ---- DNS Relay ------------------------------------------- .... IPv6 ---- IPv6 ---- IPv6 Compact Host ------------------------------------------- .... Unicast Routing ---- RIP ---- OSPF ---- BGP ---- ISIS ------------------------------------------- .... Multicast Routing ---- PIM ---- DVMRP ------------------------------------------- .... Label Switching ---- MPLS ------------------------------------------- .... Layer2 Switching ---- VLAN ---- Bridging ---- Link Aggregation ------------------------------------------- .... Security ---- NAT ---- FIREWALL ---- DHCP ---- IPSec ---- IKE ---- RADIUS ---- TACACS+ ---- 802.1x ------------------------------------------- .... Quality Of Service ---- RSVP ---- QOS ------------------------------------------- .... Fault Tolerance ---- VRRP ---- RM ------------------------------------------- .... Management ---- SNMP ---- ENM ---- HTTP ------------------------------------------- .... VPN ---- L2TP ---- PPP ---- IPSec ------------------------------------------- .... WAN Access ---- L2TP ---- PPP ---- FRPVC ---- FRATM ------------------------------------------- .... Narrowband ---- V5.2 ---- ISUP ---- MTP3 ------------------------------------------- .... Optical ---- RM ------------------------------------------- .... ATM ---- UNI3 ---- UNI4 ---- IPOA ---- PNNI ---- LANE2-C ---- LANE2-S ---- MPOA-C ---- MPOA-S ---- ILMI4 ------------------------------------------- ...MORE... ------------------------------------------- OEM Ready Solutions ------------------------------------------- .... Broadband Access ---- Naetra Home Gateway ------------------------------------------- .... Intelligent Switch ---- ISS Overview ---- ISS Enterprise ---- ISS Workgroup ------------------------------------------- .... WLAN Access Point ---- WLAN-AP-Lite ---- WLAN-AP-Standard ---- WLAN-AP-Pro ------------------------------------------- ...MORE...